I have been seeing a lot of weird/bogus DNS traffic (thousands of queries a second) hitting our servers lately and I decided to try and block it. Specifically I saw tons of requests coming in for proxypipe.net with a bunch of random hosts prepended. Things like: 6Gdb1QlP.f.proxypipe.net., mhl00ULG.e.proxypipe.net., clacqxlG.f.proxypipe.net., etc. I decided I would block all DNS requests that contained the "proxypipe.net" anywhere in the packet.

The easiest way is to use iptables to block packets that contain a specific string. The problem with this approach is that DNS packets do not contain the actual string. Instead they are encoded in this manner: X domain Y TLD

Where X is the number of bytes in the domain portion, and Y is the number bytes of characters in the TLD portion. This makes your iptables rules look like this: